According to CompTIA's 7th Annual Trends in Information Security: an Analysis of IT Security and the Workforce study, the primary cause of many security breaches is unintentional end-user error-often by non-IT staff. The most significant costs of security breaches remain the overall impact on employee productivity according to the study. About one-third of U.S. respondents cite loss productivity as the top consequence of a breach, followed by a disruption of revenue-generating activities.
"The exact amount of money lost to IT security breaches is tough to calculate because of the difficulty in estimating lost productivity," said Tim Herbert, CompTIA VP of Research and author of the study. "But the data suggests security breaches cost U.S. companies in excess of $17 billion annually, and most likely significantly more."
The CompTIA study found that in 2008, the average number of security breaches increased only slightly over previous years, but that the severity levels have increased more substantially. This suggests that while many organizations have made significant progress in dealing with security issues, the number, type and severity of threats have adapted in step. Spyware, viruses, worms and a lack of user awareness remain the most common IT security threats as in years past. However, security threats from browser-based attacks, spyware, use of handheld devices and voice over IP intensified in 2008 for the majority of respondents.
To address these evolving threats, support mechanisms such as disaster recovery plans, dedicated security teams, security trainings and formal policies for responding to incidents have been adopted by many firms. These are supplemented by preventive technologies, such as firewalls and antivirus software used in combination. A growing number of U.S. firms are using other technologies (to a lesser degree) including intrusion detection systems, physical access control, and multi-factor authentication.
"There is little doubt that companies recognize the importance of IT security and are willing to spend money to fortify their systems against attack," said Herbert. "It is less clear that firms fully understand the value of training end-users to avoid inadvertently compromising IT security."
According to the CompTIA study, almost all U.S. respondents (87%) note improvements in security when their organizations provide security training for non-IT employees, notably through increased awareness and proactive risk identification. However, while the majority of organizations require security training for IT staff (54%), relatively few firms (45%) require non-IT staff to be similarly trained.
"The first and most important thing is to implement a comprehensive data security policy," Herbert explained. "Once a proper IT security policy is in place, non-IT employees should be trained to avoid causing an accidental breach."
A comprehensive IT security training program should explain the IT security policy and the reasons behind any restrictions. This will encourage compliance without stifling creativity and will have the added benefit of teaching staff about some of the ways they may inadvertently cause a security breach.
Consider other types of workplace education, such as the OHSA "safety first" workplace campaign as a good example of how an internal awareness campaign can keep staff focused on occupational hazards. The IT security training program should cover common end-user IT security mistakes like the following examples:
- External storage devices can compromise security by allowing viruses and other malware to bypass network security safeguards. Simply connecting a USB "thumb" drive, SD card or portable hard drive to a desktop computer can infect the entire network from inside the same way a hypodermic needle could easily transmit bloodborne viruses that couldn't otherwise penetrate the skin.
- Sensitive, confidential data can be sent out inadvertently as part of routine email correspondence. It isn't difficult to imagine emailing a spreadsheet of names without noticing that one of the tabs contains credit card numbers. An internal company owner of each data class should be appointed to monitor and maintain confidentiality. Staff should be trained to identify, label and protect sensitive data so they don't inadvertently give away the keys.
- The data contained on IT hardware such as laptops and smart phones can be as valuable as the hardware itself. Staff should be aware of how hardware is commonly lost or stolen (from cars, airport security, hotel rooms, etc.) and be given the tools (such as cable locks) to secure their devices. Further, they should know what is safe to store on the devices and how to use any included encryption software.
- Security can be compromised by staff accessing (or trying to access) sensitive data from an infected machine or over an insecure network connection. Trying to log in to a secure network from a machine that is infected with a key-logger or other spyware can expose a user's password and other sensitive data to a third party. Using an insecure wireless network to access sensitive data also can pose a security risk. Staff should be trained to avoid using insecure machines or unencrypted networks to access corporate networks or sensitive data.
"Information technologists tend to focus on the technology that protects their sensitive information," Herbert explains. "But they can't afford to ignore the human element. The best lock in the world can't protect a vault if someone leaves the door open."
CompTIA's 7th Annual Trends in Information Security: an Analysis of IT Security and the Workforce focuses on identifying key trends in IT security, quantifying current and future spending on IT security, assessing the costs associated with IT security breaches, understanding the causes of IT security breaches and impact of these breaches, and determining the effectiveness of IT security training and certification. More than fifteen hundred IT professionals responsible for security at their organizations answered the questionnaire. Respondents were from the United States, Canada, India the United Kingdom, and China and represented a wide range of industries including Education, Financial Services, Government, Healthcare and IT.
